IT solutions in action

Goal: In 2001, a computer worm brought Fulton County's networks to a screeching halt. The IT staff immediately began implementing security measures to avoid further network disruptions.

Obstacle: Securing PCs and servers throughout the infrastructure was a significant step, but it didn't address the problem of portable devices accessing the networks.

Solution: Fulton County adopted intelligent intrusion detection software from Sana Security. The software learns what constitutes normal network activity and can cut off malicious attacks before they bring down the network.

Payoff: While Fulton County continues to apply the necessary patches and virus definitions throughout its network, the Sana solution can protect its infrastructure from sudden, unidentified attacks for which no patch is yet available.

Robert Taylor needs eyes in the back of his head to manage network security for Fulton County, Ga., home of the state capital Atlanta. The sprawling, 530-square-mile county, which includes an airport and a jail that rank among the busiest in the nation, has a similarly sprawling IT infrastructure.

More than 100 servers are running Microsoft Windows in Fulton County, and another 20 are running Unix. A self-healing, fiber-optic ring connects government campuses in the north and south of the county to their own Gigabit Ethernet LANs, while metropolitan Ethernet, frame relay and DSL connections link other county facilities to an institutional network.

Overall, said Taylor, county chief information officer, his staff operates a massive network connecting more than 6,000 PCs in 225 buildings.

Three years ago, the county's desktop computers were protected with Norton Antivirus. A hot backup site 20 miles from Atlanta could get the networks back up and running within two hours if the main county campus was brought down by disaster.

But in fall 2001, a little piece of software code -- a worm -- exposed holes in the network security. "Nimda brought our network to a screeching halt," Taylor said.

And Nimda was just the beginning. Taylor's team spent three months putting in a layered antivirus system, supported by daily updates broadcast from the county's servers to its desktops. For the time being, Taylor felt comfortable.

Then a new vulnerability emerged. In October 2003, an unprotected notebook carrying the Welchia worm was brought into the network and set off a packet storm that flooded the infrastructure. Only about 30 of the county's 6,000 PCs became infected, but Taylor said, no valid data could get in because of the data traffic that the worm generated.

The worm effectively shut down other operations, among them the jail's booking system, which meant that prisoners could not be released. The sheriff said he wasn't letting anybody go until Taylor's staff could get the network back up and running. The result was a public relations black eye and intense pressure to return things to normal.

"It took us four or five days to get those things under control," Taylor said. "I realized we had a problem. We had our walls up, but there was nothing inside that kept us from getting infected again."

The county turned to an intrusion prevention tool called Primary Response from Sana Security Inc. of San Mateo, Calif. Primary Response uses software agents that run on servers and recognize and block abnormal behavior, helping stop the internal spread of worms and squelch denial-of-service attacks from floods of packets. The software uses what Sana calls Adaptive Profiling Technology to learn the differences between normal and abnormal application behavior.

After Primary Response three months ago stood up to attacks on test servers, Fulton County cautiously began rolling it out.

"We started with the least critical servers and worked our way up," said Rod Smith, Fulton County's chief information security officer.

Then the county, which also wanted to protect its desktop machines, learned that Sana was working on Attack Shield, a lightweight set of intrusion prevention products for PCs. Worm Suppression, the first in the Attack Shield line of products for PCs, was announced in October, and Fulton County took it into its IT labs for testing.

Attack Shield WS works at the Windows operating system level to block code injection exploits, the largest class of risks from network worms. Like Primary Response, it blocks abnormal behavior, but Attack Shield WS looks only at interactions between applications and Windows core services.

Because it is behavior-based rather than signature-based, Attack Shield WS requires no updates or administration once it's been placed on the desktop.

Unlike some products that differentiate between normal and abnormal behavior, Attack Shield's narrow focus requires no learning time on the system and no exception handling. It's available as a self-installing add-on for PCs at about $10 per machine and can be embedded at the OS level by system vendors and integrators.

Companies such as Science Applications International Corp. have signed on to promote Sana's technology.

"Our large enterprise customers are asking for more automated, highly scalable security solutions that offer server and application protection against unknown, zero-day attacks," said James Smith, SAIC's Enterprise Security Solutions Division manager, in a June statement announcing a marketing agreement with Sana.

Count Taylor among those customers. "We've got Attack Shield in our lab now, and we're ready to start rolling it out," he said.

With Sana's products, Fulton County hopes to protect itself from malicious code that gets past the network perimeter while making its infrastructure less inviting to worms.

William Jackson is a senior editor for Government Computer News. If you have an innovative solution that you recently installed in a government agency, contact Staff Writer Doug Beizer at dbeizer@postnewsweek

tech.com.

About the Author

William Jackson is a Maryland-based freelance writer.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.

What is your e-mail address?

Do you have a password?

Trending

In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013.
Read More